This allows you to login as another user, without supplying their password. Suppose a client of your application has a problem at a certain page which you want to investigate. Sometimes this is not possible under your own account, as you don't have the same data as the user, so the issue might not even occur in your account. Instead of asking the password from the user itself, which is cumbersome, and not a very safe thing to begin with, you can use the switch-user feature.

He talks about how to enable it, how to use it to switch to another user and, most important, how to restrict its use. He points out that there's no way to define who a user can switch to built-in, so he's come up with a custom "switch listener" to help add in this protection. His "SwitchUserListener" class replicates some of the code in the original handling (well, the whole class) and updates the "attemptSwitchUser" method to check the user they're trying to switch to and see if they have the right role. Finally he shows how to add it to the services configuration and how it overrides the default listener.

Link: https://www.adayinthelifeof.nl/2015/02/24/advanced-user-switching/]]>Wed, 25 Feb 2015 09:12:05 -0600http://www.phpdeveloper.org/news/21921http://www.phpdeveloper.org/news/21921
On the SitePoint PHP blog there's a new tutorial today showing you how to setup a user login through PayPal that lets users authenticate for your application through PayPal's systems.

Curiosity is one of the most important traits in our job. The other day, I found myself exploring PayPal documentation to find something interesting to learn (and share). After a while I stumbled upon the Log In with PayPal tool. With the "Log In with PayPal" tool, your users can authenticate into your application using PayPal. It's the same procedure we already know for Facebook, or maybe Twitter and GitHub. Using this type of authentication is recommended if you want to integrate it with an e-commerce website, but you can use it in every situation and application that requires a user account or membership.

He starts by answering the "why use it" question, suggesting that it adheres to one of the main goals of good, secure authentication systems - simplicity. He then shares an overview of how the process flow works including a graphic outlining each piece involved and what kinds of data is transmitted at each step. He then walks you through the full process of setting up a PayPal application on your account and using the Httpful library (installed via Composer) to connect to their API. He includes the code you'll need to include in your application to provide the link to PayPal for the login and the page it will return to once the process is complete.

Link: http://www.sitepoint.com/implement-user-log-paypal/]]>Mon, 03 Nov 2014 12:19:09 -0600http://www.phpdeveloper.org/news/21813http://www.phpdeveloper.org/news/21813
In this new post to his site Joshua Thijssen talks about something that's usually considered a common task and might be overlooked when it comes to security: logging out (specifically in Symfony-based applications).

One of the "golden rules" of symfony2 is to never hardcode urls or paths inside your code or templates. And letting symfony deal with the generation of your urls and paths makes your life a lot easier as a developer. But one of the things I see regularly is that people are still hardcoding their logout urls like using "/logout". But logging out is actually a bit more complex than it might seem, and using a simple /logout might work for most cases, but there are better ways to deal with this.

To give some context, he starts with an overview of the Security component of the Symfony framework, mentioning how it can be configured with different "secure" areas and how they handle the user authentication. He includes an example configuration of one of these "firewalls" in a YAML document with three different sections: "dev", "superadminstuff" and "main". He explains what each of these sections are configuring and how they will react when the user visits them. He talks some about the "logout: true" handling and what kind of defaults are also included when it's called. He suggests that, instead of a hard-coded "logout" URL in your application, you make use of the "logout_url" and "logout_path" functions to create the link for you, making it consistent across the application and easier to configure.

Link: https://www.adayinthelifeof.nl/2014/10/06/symfony2-logging-out/]]>Fri, 10 Oct 2014 10:51:03 -0500http://www.phpdeveloper.org/news/21800http://www.phpdeveloper.org/news/21800
In his latest post Cal Evans reminds us, as software developers, that our jobs aren't always about making the things we create about the best code or most tech. It's also about having empathy for users of the software you're building.

I learned something very important in all of [the troubles I had with traveling to Amsterdam], I learned that we as software developers and designers need to have a great deal of empathy for the people using what we build. It is not enough to put yourself in your user's shoes, you have to put yourself in their mindset. You have to design every user interaction with an understanding of not only who is using your software, but why they are using it.

He focuses the rest of the post on his experience post-delay, trying to get an update on where in the world his luggage might be via a URL given to him by the lost luggage group. He comments on the terseness of the message he was given on the page ("Delivery Initiated") but points out that it's not overly user-friendly and really doesn't give much information. He suggests that the developers of the tool didn't actually think about end users, just that they should share a status and that's all.

It is not enough to create personas and figure out who is using your software. You need to understand why they are using it, and what their mindset will be when they are using it. You need to have empathy for your users.

Link: http://blog.calevans.com/2014/10/07/delivery-initated-a-word-on-having-empathy-for-the-users-of-your-software/]]>Wed, 08 Oct 2014 09:24:37 -0500http://www.phpdeveloper.org/news/21309http://www.phpdeveloper.org/news/21309
In this post to the CodeOfANinjs.com site, they walk you through password hashing, salting and storage using the PHPAss tool from OpenWall. The post itself is a bit older, but the content still provides a good example to teach the basics.

I think the main reason why we have to hash passwords is to prevent passwords from being stolen or compromised. You see, even if someone steal your database, they will never read your actual or cleartext password. I know that some PHP frameworks or CMS already provide this functionality, but I believe that it is important for us to know how its implementation can be made.

The tutorial shows you how to use the library and how to store the result in a simple "users" table in a MySQL database. The examples hash the password given from a simple form and use prepared statements (via PDO) to save it to the database. All PHP, HTML and CSS code you'll need - including the login form that checks the username/password - is included. There's also a few screenshots showing what the resulting forms and data should look like.

Link: http://www.codeofaninja.com/2013/03/php-hash-password.html]]>Mon, 16 Jun 2014 11:15:37 -0500http://www.phpdeveloper.org/news/20051http://www.phpdeveloper.org/news/20051
The Nomad PHP (virtual) user group has announced their speaker for the November 2013 meeting - Ed Finkler talking about the problems that come with having "more code" in your applications.

In this talk I'll extend the concepts to other languages we work with in web development, establishing these core principles: Learn languages, not frameworks, build small things, less code is better than more, and create and use simple, readable code We'll cover how following these principles makes you a better developer, and makes the job of maintaining and verifying your code much easier.

The meeting is on November 14th and you'll have to sign up if you'd like to attend. There's a $10 USD cost for a ticket and you can purchase them right up until the event.

Link: http://nomadphp.com/2013/08/29/november-2013/]]>Fri, 30 Aug 2013 10:38:38 -0500http://www.phpdeveloper.org/news/19993http://www.phpdeveloper.org/news/19993
On Reddit.com today there's a post asking for suggestions of tools to test a REST API from the outside (like a user, not unit testing).

Does anybody know of any tools to test a rest API from the POV fo a client? Behat and Cucumber seems to be cool, but are these the right tool to benchmark directly through http?

Link: http://www.reddit.com/r/PHP/comments/1kg515/tools_to_test_a_rest_api]]>Fri, 16 Aug 2013 12:53:17 -0500http://www.phpdeveloper.org/news/19729http://www.phpdeveloper.org/news/19729
Sameer Borate has a new post today showing how you can do simple user authentication in a Laravel 4-based application using the built-in Auth functionality.

With the recent release of Laravel 4, PHP developers have at their disposal one of the finest frameworks for application development. As with all new frameworks, it is always good to write some quick code to get a feel for the underlying architecture. The following post shows a simple authentication application using Laravel.

He walks you through the creation of the simple "users" table, the configuration the Auth class will need to connect and authenticate and the form for the login. He also shows the steps for the actual authentication process as well as the code for the routes to make it all work. Additionally, he shows how to restrict pages to only those with the "admin" level access via an auth filter. You can download the example code here.

Link: http://www.codediesel.com/frameworks/simple-user-authentication-in-laravel-4]]>Mon, 17 Jun 2013 14:22:01 -0500http://www.phpdeveloper.org/news/19599http://www.phpdeveloper.org/news/19599
On PHPMaster.com today they've posted the first part of a series spotlighting Openbiz Cubi, a PHP "framework" with a business focus.

Openbiz Cubi is a robust PHP application framework giving developers the ability to create business applications with minimal effort. In this two-part series I'll explain the concepts and steps necessary to create your own business web applications with Cubi. We'll look first at the challenges web developers face and how Openbiz Cubi can help, and then how to install Cubi. In part 2 we'll see how to create our own modules.

They start off by describing the tool and some of the features that come with it (including user management and the XML data object structure). Complete installation instructions are included and a screenshot is included of the end result. They include a "quick tour" of Cubi's features and some of the modules that come with it like the System, Menu and User modules. In part two of the series, they'll show you how to create a custom module.

Link: http://phpmaster.com/openbiz-cubi-a-robust-php-application-framework-1]]>Fri, 17 May 2013 10:36:20 -0500http://www.phpdeveloper.org/news/19411http://www.phpdeveloper.org/news/19411
Matt Setter has a new post to his site today about forms in Zend Framework 2 including a full example on how to use them to create a form for user information (first name, last name).

I think it goes without saying, forms are one of the central elements of any web-based application. They're used for everything from logging in, to searching content and managing information. Given that, they should be first-class citizens, able to be developed and reused with relative ease. [...] However, given the amount of options, configurability and flexibility required, this isn't always easy. [...] In today's post, I'm going to assume you have a basic understanding of how forms work now. [...] I'm going to show you how to create flexible, reusable forms in one module and by the power of the ServiceManager reuse them throughout your application.

He starts with the inclusion of a dependency needed for his example - the ZfcUser component (installed via Composer). He then moves on to the actual code for the form creating a reusable module, an entity class for the User and the Fieldset/Form classes for the contents of the form. He also includes the code for the controller action and the view that outputs the form itself and handles the repopulation automagically (and includes a CSRF token).